Header Insertion for Content Security

Header Insertion for Content Security

book

Article ID: CTX218065

calendar_today

Updated On:

Description

Use Case:

HTTP response can carry different header for ensuring better security of the payload/content. These headers help with different aspects of content and connection security.

F5 iRules:

when RULE_INIT {
 set static::fqdn_pin1 "X3pGTSOuJeEVw989IJ/cEtXUEmy52zs1TZQrU06KUKg="
 set static::fqdn_pin2 "MHJYVThihUrJcxW6wcqyOISTXIsInsdj3xK8QrZbHec="
 set static::max_age 15552000
}
when HTTP_REQUEST {
 HTTP::respond 301 Location "https://[HTTP::host][HTTP::uri]"
}
when HTTP_RESPONSE {
 #HSTS
 HTTP::header insert Strict-Transport-Security "max-age=$static::max_age; includ
eSubDomains"
#HPKP
 HTTP::header insert Public-Key-Pins "pin-sha256=\"$static::fqdn_pin1\" max-age=
$static::max_age; includeSubDomains"
 #X-XSS-Protection
 HTTP::header insert X-XSS-Protection "1; mode=block"
 #X-Frame-Options
 HTTP::header insert X-Frame-Options "DENY"
 #X-Content-Type-Options
 HTTP::header insert X-Content-Type-Options "nosniff"
 #CSP
 HTTP::header insert Content-Security-Policy "default-src https://devcentral.f5.
com:443"
 #CSP for IE
 HTTP::header insert X-Content-Security-Policy "default-src https://devcentral.f
5.com:443"}

NetScaler Solution:

add ns variable fqdn_pin2 -type text(100)

add ns assignment as1 -variable $fqdn_pin1 -set
'"X3pGTSOuJeEVw989IJ/cEtXUEmy52zs1TZQrU06KUKg="'

add ns variable fqdn_pin1 -type text(100)

add ns assignment as2 -variable $fqdn_pin2 -set
'"MHJYVThihUrJcxW6wcqyOISTXIsInsdj3xK8QrZbHec="'

add ns variable max_age -type ulong
add ns assignment as3 -variable $max_age -set 15552000

add responder action actionnew redirect "\"https://\" +
HTTP.REQ.HOSTNAME.HTTP_URL_SAFE +
HTTP.REQ.URL.PATH_AND_QUERY.HTTP_URL_SAFE"

add responder policy policynew true actionnew

add rewrite action Rew_act INSERT_HTTP_HEADER "Strict-Transport-Security" "\"maxage=\"
+ $max_age"

add rewrite action Rew_act1 INSERT_HTTP_HEADER pin-sha256 "$pin-sha256 + \"maxage=\"
+ $max_age + \"includeSubDomains\""
add rewrite action Rew_act2 INSERT_HTTP_HEADER X-XSS-Protection "\""1\" +
\"mode=block\""

add rewrite action Rew_act3 INSERT_HTTP_HEADER X-Frame-Options "\"DENY"\"

add rewrite action Rew_act4 INSERT_HTTP_HEADER X-Content-Type-Options "\"nosniff"\"

add rewrite action Rew_act5 INSERT_HTTP_HEADER Content-Security-Policy "\"default-src
https://devcentral.f5.com:443"\"

add rewrite action Rew_act6 INSERT_HTTP_HEADER X-Content-Security-Policy "\"defaultsrc
https://devcentral.f5.com:443"\"

Above configuration adds respective security headers to the HTTP response flowing through    
NetScaler.

Issue/Introduction

Header Insertion for Content Security.
Powered by Wolken Software